Introduction

In this article, we will take a look at the use case of Connecting AWS WAF to AWS API Gateway via Serverless Framework. AWS WAF is a great service for making application security stronger.

In a previous article: Serverless Security: Preventing HTTP Flood DDoS Attack we covered how AWS WAF helps to prevent HTTP Flood DDoS attacks.

This article's entire PoC (proof-of-concept) uses IaC (Infrastructure as code) written with Serverless Framework. You can download the template from our website, HERE

What is AWS WAF?

AWS WAF is a web application firewall that helps protect your web applications / APIs against common web exploits and bots. Attacks may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that control bot traffic and block common attack patterns.

AWS WAF is possible to deploy on:

• Amazon CloudFront
• Application Load Balancer
• Amazon API Gateway
• AWS AppSync

Protect API Gateway from DDoS with AWS WAF via Serverless Framework

Create Serverless Framework Project

  
serverless create --template aws-nodejs --path sls-waf-apigateway
cd sls-waf-apigateway
npm init
  

Below is what your final project will look like by following each section of this article. I’m sharing it now so you can check what I have versus what you have as the article continues.

  
serverless.yml <-- Main SLS IaC file, Associate WAF with API Gateway using plugin
resources/waf.yml <-- SLS IaC file, Create WAF Web ACL Resources using CloudFormation
handler.js <-- API lambda handler
package.json <-- npm package manager
  

Serverless Framework IaC - Associate AWS WAF to AWS API Gateway

Serverless Framework plugin Serverless Associate WAF is used to Associate a regional AWS WAF with the AWS API Gateway used by your Serverless stack.

  
npm install serverless-associate-waf --save-dev
  

Below, the Serverless Framework IaC code snippet will create these resources:

• 1 AWS Lambda Function
• 1 API of REST type in AWS API Gateway
• Associate regional AWS WAF with API Gateway for the current stack (which we will create later step in this article)

serverless.yml

  
service: sls-waf-apigateway
frameworkVersion: '3'

provider:
  name: aws
  runtime: nodejs14.x
  region: ${opt:region, "us-east-1"}
  stage: ${opt:stage, "dev"}

plugins:
  - serverless-associate-waf

# Associate WAF Web ACL with API Gateway of current stack
custom:
  associateWaf:
    name: ${self:resources.Resources.WAFRegionalWebACL.Properties.Name}
    version: V2 #(optional) Regional | V2

functions:
  todolist:
    handler: handler.todolist
    events:
      - http:
          path: /todo/list
          method: get

# CloudFormation Resources
# Create WAF Regional Web ACL with RateBased Rule to Prevent HTTP Flood DDos Attack
resources:
  Resources:
    WAFRegionalWebACL: ${file(resources/waf.yml):WAFRegionalWebACL}
  

The above IaC snippet associates WAF to API Gateway in the current stack. Next, we will create that WAF using the CloudFormation IaC code found below; which we are importing into this file in the last line.

AWS CloudFormation - Create WAF Regional Web ACL with Rate-Based Rule

resources/waf.yml

  
# CloudFormation Resources
# Create WAF Regional Web ACL with Rate-Based Rule to Prevent HTTP Flood DDoS Attack
WAFRegionalWebACL:
  Type: "AWS::WAFv2::WebACL"
  Properties:
    Name: ApiGateway-HTTP-Flood-Prevent-Auto-${self:provider.stage}
    Scope: REGIONAL
    Description: WAF Regional Web ACL to Prevent HTTP Flood DDos Attack
    DefaultAction:
      Allow: {}
    VisibilityConfig:
      SampledRequestsEnabled: true
      CloudWatchMetricsEnabled: true
      MetricName: ApiGateway-HTTP-Flood-Prevent-Metric
    Rules:
      - Name: HTTP-Flood-Prevent-Rule
        Priority: 0
        Action:
          Block: {}
        VisibilityConfig:
          SampledRequestsEnabled: true
          CloudWatchMetricsEnabled: true
          MetricName: HTTP-Flood-Prevent-Rule-Metric
        Statement:
          RateBasedStatement:
            AggregateKeyType: IP
            Limit: 2000  # rate limit adjust as per your real traffic
  

The above AWS CloudFormation IaC code helps you create AWS WAF Regional Web ACL with a Rate-Based rule to prevent HTTP Flood DDoS attacks. After creating Regional AWS WAF, we can easily associate the same with stack’s AWS API Gateway (as explained earlier in this article) using the Serverless Framework plugin ‘serverless-associate-waf’.

Conclusion

Serverless Framework Infrastructure as Code allows us to associate AWS WAF with API Gateway within the serverless stack using the plugin ecosystem. AWS WAF along with API Gateway make APIs more secure against DDoS attacks.

Sources

1. https://aws.amazon.com/waf/
2. https://www.serverless.com/plugins/serverless-associate-waf
3. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html
4. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ratebasedstatement.html